fix: prevent path traversal in view lookup

[kuishou68]

Summary

Fix a path traversal vulnerability in View.prototype.lookup where a relative view name containing ../ sequences could resolve to files outside the configured views root directories.

Problem

app.set('views', '/safe/views');
app.render('../../../etc/passwd', callback);
// Previously could read files outside /safe/views

Fix

Added a containment check after path resolution: if the resolved path does not start with the root directory prefix, the lookup is skipped for that root. Absolute paths are intentionally excluded from the check to preserve existing Express behavior (app.render('/absolute/path') is supported).

// security: ensure resolved path stays within root directory
var resolvedRoot = resolve(root);
if (!isAbsolute(name) && loc !== resolvedRoot && !loc.startsWith(resolvedRoot + sep)) {
  debug('path traversal attempt detected: "%s" resolved outside root "%s"', name, root);
  continue;
}

Testing

All existing tests pass (npm test). The fix preserves:

• Normal relative view lookup
• Multiple views roots (array)
• Absolute path rendering (app.render('/abs/path'))
• View engine extension resolution

[krzysdz]

Duplicate of #7142

Duplicate of #7216